Security Nation, S3 E5

From the Dorm Room to the White House: How Researcher Jack Cable Works to Ensure Election Security

October 06, 2020

 

In our latest episode of Security Nation, we are joined by a rising star in Stanford University’s junior class: Jack Cable. We discuss everything from hacking the Pentagon in high school to ensuring progress in election security beyond just voting machines today.

Stick around for our Rapid Rundown, where Tod ditches his talk about the FBI's disinformation campaigns warning to discuss what really matters—a potential "Hackers" movie reboot. Hey, we have priorities! 

Appears on This Episode:

Jen Ellis
Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.

Jack Cable
Jack Cable
Security Researcher

Jack Cable is a security researcher and student at Stanford University, currently working on election security. Jack is a top-ranked bug bounty hacker, having identified over 350 vulnerabilities in companies including Google, Facebook, Uber, Yahoo, and the U.S. Department of Defense. After placing first in the Hack the Air Force challenge, Jack began working at the Pentagon’s Defense Digital Service. Jack was named one of Time Magazine’s 25 most influential teens for 2018. At Stanford, Jack studies computer science and launched Stanford’s bug bounty program, one of the first in higher education.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 


View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to another thrilling installment of Security Nation, the podcast where we talk to interesting people doing cool things in security, or sometimes vice versa. I'm your host, Jen Ellis, Rapid7's VP of Community and Public Affairs. And with me is my amazing co-host, Tod Beardsley.

Show more Show less

Tod Beardsley:

Wow, that's a lot of fanfare. Thank you.

Jen Ellis:

I do what I can for you, my friend. I feel like you're worth it.

Tod Beardsley:

Well, thank you.

Jen Ellis:

So Tod, I know I'm always excited about our guests, obviously, but I'm pretty excited about today's guest, even though he makes me feel like I've done nothing with my life. Nothing.

Tod Beardsley:

Same.

Jen Ellis:

It's ridiculous. So today's guest is ... He's sort of famous for all sorts of cool shit, including Hack the Pentagon, which is pretty amazing initiative that he participated in. And he's been doing all this crazy stuff. And he's a student at Stanford. I mean, it's amazing. So I'll just introduce you to Jack Cable. Hello, Jack. Thank you for joining us.

Jack Cable:

Thank you for having me.

Jen Ellis:

You're a security researcher and you're in what year at Stanford?

Jack Cable:

I'm a junior now.

Jen Ellis:

So because I'm British, you're going to have to explain that to me. Is that your third year?

Jack Cable:

That's third year.

Jen Ellis:

Right. So you're in your third year at Stanford in an undergraduate course. This is not like you're not doing some turbo Ph.D?

Jack Cable:

Yep. Yeah, that's correct. I'm an undergraduate studying computer science.

Jen Ellis:

And yet you have done all of this crazy bananas stuff where you've like worked for the U.S. government, and speak at conferences regularly and it's all very cool.

Jack Cable:

Yeah, I think yeah, it's a lot of fun to do this.

Jen Ellis:

Can you tell us a little bit about Hack the Pentagon and how you got involved there?

Jack Cable:

Yep. Yeah, so that was really when I was just getting started out in the world of security. So this was when I was a sophomore in high school. So I was 16 and I got an email that was ... I think the subject was like, "What if I told you the Pentagon wanted you to hack it?" And to me just starting out in security, this was pretty wild that the Pentagon was actually asking me, a high schooler, to try to find vulnerabilities in them. So of course I signed up to that. This was maybe four years ago, 2016. Participated in that. Didn't find much. I think I only found a few vulnerabilities that other people had already found, but I kept doing more of these challenges.

Jack Cable:

And another called Hack the Army, another one called Hack the Air Force. And in Hack the Air Force, I wound up eventually placing first in that, which was pretty cool to see how I can be recognized for finding those kinds of vulnerabilities. So that was really, in some ways, how I got into security. It was right when I was starting out, I got into security through Bug Bounties. Started doing more of these Hack the Pentagon programs. Started doing more with private companies and really just saw how much people appreciate this kind of work and how it could really help secure some companies.

Jen Ellis:

Awesome. That sounds really cool. So how long ago was that?

Jack Cable:

So the initial Hack the Pentagon was four years ago, 2016. And then they've been doing some ongoing challenges since then.

Jen Ellis:

So I'm completely certain that everybody brings up your age all the time and it's probably incredibly insufferable, but how old were you when you did that?

Jack Cable:

So when I started that I was 16.

Tod Beardsley:

Good for you. That I think that shows just an uncommon level of discipline.

Jack Cable:

Yeah, I think there's definitely a lot of value in sticking around through school, getting more complete background, which I'm enjoying.

Jen Ellis:

Yeah. I imagine though, that you've got no shortage of people vying to offer you a job when you graduate or before you graduate, which is a nice position to be in. It's not the position I was in with my incredibly valuable philosophy degree. Thank you to the nice people who gave me an internship out of uni. So what next? What are you working on at the moment?

Jack Cable:

So I've been doing a couple of different things right now. So a lot of it focuses on election security. So I'm working for the U.S. Cybersecurity and Infrastructure Security, which is say the federal government's main coordinator for, among other things, election security. So working with the states and the counties to help secure their elections. Of course, I'm required to say that this podcast is in my personal capacity. I do not have my employer here.

Jen Ellis:

We appreciate that.

Jack Cable:

So there's that. In addition to that, I've been doing some other projects as well, working with the Stanford Internet Observatory and fighting disinformation. So we're part of the election integrity partnership, which is a group of research entities who are tracking disinformation in real time as it relates to the 2020 election, which is coming up.

Jen Ellis:

Yeah, this does seem like a somewhat timely topic. And also a topic that I know is very near and dear to Mr. Beardsley's heart. So what specifically are you working on in election security and how is it going?

Jack Cable:

Yeah, well, I think there's a lot of really interesting areas and some very positive developments, I'd say, that have occurred. And I think one that I think we're going to focus on here is related to incorporating further security research to help uncover vulnerabilities, help make election systems more secure. And as we know, this is something that's been standardized in the industry for a while. Companies put out vulnerability disclosure policies to tell people how to report vulnerabilities to them, maybe bug bounties to pay people for doing that. But that historically really hadn't been the case with election systems.

Jack Cable:

So one of the things I've been working on personally is helping both some states, as well as some election companies to start their own vulnerability disclosure policies, and to say that researchers who report vulnerabilities to them will be given legal protection. They'll be recognized for it. They can disclose after a set number of days or once the vulnerability's fixed, all of that, which previously had never had with any of the election editors. But fortunately that's starting to turn around now.

Tod Beardsley:

Yeah, they really kind of have turned the corner on this. In the past, election vendors have been, to put it mildly, reluctant to play in the same space that we all do here in information security in the cybers. In the last, I think it was what? It was last year at the CISA Summit, they announced that they were involved or getting involved in a vulnerability disclosure policy. Is that right? Or was it more recent? Was it at Voter Village? I don't remember which one. Maybe it was-

Jack Cable:

I think so, yeah. They put out something last year, a request for information. So I think that kicked off from there, but yeah, you're right that this was a really rapid shift because if you look a few years ago, relationships between security researchers and the vendors were very rocky. Yeah, you can read all about that. And that's not to say that they're perfect now, but I think this is a positive step that the vendors have come forward and say that they actually value the work of security researchers, that they want to hear vulnerability reports from them and that they not take legal action against them.

Jack Cable:

So I think all of this combined is the industry, these companies saying that they want to do this better, that they recognize that what they've done in the past with this hasn't been the most effective. And that they can have much more productive outcomes for everyone if they work with security researchers and value their work.

Jen Ellis:

Which is a giant step forward. As you say, it's not perfect, but there's no such thing as perfect. Nobody's perfect on this, partly because it's a constantly shifting landscape, it's an evolution. And every time that we make progress, we learn more and we have the potential to make more progress. So the fact that they've started on this journey and that they are making steps forward, I think is a really, really big thing. Very cool. And it's a testament to the efforts of you and others working in this space. So on that note, what does it look like in terms of adoption? How is it going?

Jack Cable:

So I would say it's going really strong. So the group of companies I advise under the IT-ISAC, so that's the Information Technology Information Sharing and Analysis Center. We love the long acronyms. It's a group of an organization of companies that as part of that, they had another acronym, the EI-SIG the Elections Industry Special Interest Group, which was a group of six election companies, six of the largest, typically voting machine vendors, in the United States. So as part of this, you have what's viewed as the big three, which is ES&S, Dominion and Hart InterCivic, and then three other companies, which is Unisyn, Smartmatic and Clear Ballot. It's really a list of a lot of the big players in this space. I think ES&S, Dominion and Hart alone make up a significant-

Tod Beardsley:

They're like upwards of 90% of all elections in North America.

Jen Ellis:

On that note, as the token Brit, do these companies really just sell their stuff in the U.S., or are they also the companies that are underpinning elections around the world?

Jack Cable:

That's a good question. I don't know, Tod, if you know. My sense is that they're mostly focused on the U.S. I know there's some other international election companies, but yeah, I'm not entirely sure on how deployed they are outside of that.

Tod Beardsley:

I know that ES&S and Dominion both service elections outside the U.S., so namely Canada, but they're present in other elections around the world, for sure. And also too, we often categorize these companies as voting machine manufacturers, but they do a lot more than that. ES&S and Dominion specifically, I know those are the top two. Hart is great, I love you Hart InterCivic, you're wonderful. But ES&S and Dominion of the ones I'm more familiar with, and they also tend to run a lot of the backend IT. So like the voting tabulation stuff that are run by counties. So they are responsible not just for that endpoint that end users, aka voters, touch, but also all along the line, they're there and their people are there too. So they're pretty critical to the whole getting democracy done progress here.

Jack Cable:

Yeah, and I think that's a really good point that you bring up that they're not just voting machine vendors. And really, yeah, election security is so much more than just voting machines. I think this is something that traditionally infosec has focused more narrowly on voting machines, but there's really a wide range of technology out there. And a lot of cases, I think that present possibly more potential for attack than voting machines, because with voting machines, of course, while there have been cases that some are connected to the internet, the mass majority are not. So if you want to target them, you either have to do a physical attack on maybe supply chain, but it's going to be quite difficult just due to the fact that-

Jen Ellis:

Yeah, inefficient.

Jack Cable:

Yeah, you can't get to them over the internet in most cases. So if you compare that to something like a voter registration database or election item, which by nature are online, because people use them on the internet, then you've a lot more attack surface there. So I think that's something too that security community has to pay more attention to these systems beyond just voting machines that are also crucial to election systems that previously hadn't been looked at as much.

Jen Ellis:

So one of the things I think is really interesting in this area is, as you say, a lot of the discussion around election security started with a very strong focus on the security of voting machines themselves. And as you've just explained, that's a little bit of a misdirection of focus. It's not really probably the, be all and end-all when it comes to thinking about "hacking an election." What do you think the impact has been of that focus? Not just in terms of what it's done in another sector, but what it's done to public confidence. Do you think it's had an impact there?

Jack Cable:

I think certainly. A lot of the times when you see like election security being reported on publicly, it is with the focus on voting machines. A lot of this, for instance, you see, like if we look at the DEF CON Voting Village, which I think is really great, because that's probably the only venue where there is this security research of election systems in the public. But one of the less fortunate outcomes of that is that you do get some press that I think could be better framed because it'll say stuff like, "Every voting machines can be hacked," or, "Elections can be hacked." And kind of painting this as something that's a major point of vulnerability that could really jeopardize the outcome of our elections.

Jack Cable:

And I think one of the effects of this is that it's led to some of the further divisions between say the election companies and security researchers, the election officials and security researchers, because what they see is some of this misrepresenting the actual risks here, because yes, it's a concern if the voting machine is vulnerable, completely, but you have to consider how widely deployed it is. If it's not connected to the internet, the attack would have to be physical or local network-based, which is of course more difficult to pull off.

Jack Cable:

So I think in the past what vendors, traditional responses have been is, "This isn't realistic at all." In some cases they might deny the vulnerabilities. So you get these polarizing outcomes. I think if we can get to somewhere where we're actually working with the vendors to understand what the risk is, to disclose it with them, say via vulnerability disclosure policy, I think that can lead to much better outcomes where we can accurately represent the risk.

Tod Beardsley:

So when you say that the voting machine vendors I think were initially pretty cool to the researcher community, because these attacks were "far-fetched." But I do think that, that voting machine is your gateway into election IT right? The voting machine is the thing you can touch. It's the thing that, I don't know, a 16-year-old can dork around with at DEF CON, but then once you pass that hurdle, then you start seeing all of the other IT involved. So it's important to look at voting machines and it's important to look at the security of voting machines, but the voting machine security is not ... That's not like the center of the attack surface.

Tod Beardsley:

That is really the entryway into getting interested, and involved and hopefully hands-on, like you have done with working with these vendors of saying, "Hey, we do need to actually secure these inside IT systems because they're super-duper critical." More critical than payment processors where I can roll back a payment with a credit card or with basically any payment processor. Hard to roll back votes. So that's why these things have to be more secure from the outset than I think many, many other IT systems.

Jack Cable:

For sure.

Jen Ellis:

So it sounds like you're making progress, and it sounds like the voting machine or the voting vendor community is paying attention and is engaged, which is all really positive. What's been the biggest hurdles along the way? What have been the biggest challenges?

Jack Cable:

So I think that there's a couple that we can talk about. And maybe the first is something that's not really even ... It's an actual problem that comes into play when voting vendors are trying to develop vulnerability disclosure policies. And that's the question of how to define the scope for their program, because if you're like a standard tech company, I don't know, if you're Facebook or Google. It's pretty easy to say just, "Anything Facebook.com is ours. You can go after report vulnerabilities too. We'll pay you for that, it's easy." But for voting vendors, of course, since the technology they're making, most of the times they don't own because they of course are selling it to states and local election offices.

Jack Cable:

So when that's the case, they can't just go and say, "You're authorized to do security testing on all of these systems that we don't own." So that's a little trickier. So what they've decided on, and what I helped with is to initially these vulnerabilities disclosure policies cover their corporate environment. So kind of what you expect if they were just a standard company, their public facing internet assets, their websites, that kind of stuff, to start out. But then what they say is that, or some of them say at least, that if you do get authorization from someone who actually owns a voting machine, so that could be either if you're working directly with an election official, or maybe you own the voting machine yourself, because you bought off eBay, something like that.

Jack Cable:

So if you do get authorization from the owner, then they'll accept reports under the vulnerability disclosure policy. So I think that's a good starting point to do this; recognizing that it's good to just put your foot forward, get started with this. Of course, I think there's value in doing a slower rollout to not just dive into the deep end of course, to rather—

Tod Beardsley:

You don't want bugs, right?

Jack Cable:

Yep. So I think it's positive to say, start there, get comfortable interacting with external researchers, handling reports, fixing bugs when it's probably easier to fix them on your corporate network. But I think the next step is actually providing equipment to researchers. So I think what would be really great, for instance, is at next year's Voting Village, if we had vendors there alongside researchers. Who knows, maybe it'll be in person. Love to see how that turns out, but if we have done they're providing their systems to researchers saying that they can test them under their vulnerability disclosure policy. They disclose the vulnerabilities after 90 days.

Jack Cable:

Of course, they won't take legal action after them and maybe they'll give them some form of reward. And if they're doing this alongside researchers, I think it has really a potential to both, of course, in the security of these systems and discovering more vulnerabilities than could be found alone just working on a random machine that you're looking at, because maybe they're providing say documentation or other details that can be useful in researching vulnerabilities.

Jack Cable:

But I think beyond that, it makes this into a really positive story, because rather than having vendors and researchers fighting over vulnerabilities, now it's something that they both have done together. And we can see that they're working collaboratively to secure these election systems. So that's my hope that this can turn into something where vendors provide equipment to researchers to test under a vulnerability disclosure policy.

Tod Beardsley:

Jack, Jack, wait. I just had the greatest idea. What if we got one of the major voting vendors to set up a CTF environment using a reference implementation of their whole end-to-end voting system? Everything from voting machines through all the backend IT, all the database stuff, all of it, and sprinkle in delicious CTF flags throughout? Wouldn't that be fun?

Jack Cable:

That would be really terrific. Yeah I would love to see that.

Jen Ellis:

I think if you look at one of the other very well-established villages at DEF CON, the Biohacking Village, this seems like an approach that they've taken very successfully with the medical device lab that they have there, where they've gone from people bringing in technology that as you said, they'd bought on eBay, or that was actually connected to them physically that they'd been prescribed. To now being in a situation where medical device manufacturers pledge to bring technology. They set up CTFs with the organizers, and all were full blessing and support of the FDA, which I think does make a big difference.

Jen Ellis:

And I know CISA, as you mentioned at the beginning, the government agency that likes security so much it's got it in its name twice. That is a Krebs joke. I'm not at all ashamed of feeling it, but-

Jack Cable:

Good Krebs joke.

Jen Ellis:

But they're super engaged in this space, and I think they are doing, from the sounds of things, quite good work at helping with these relationships and helping to drive that forward. So hopefully in a couple of years, maybe even this year, you guys will be in as good a spot as the medical device lab. It should be cool.

Jack Cable:

Yep, I think that could be really great. And I'm hopeful that yeah, maybe yeah, for next year we could have something like that. I mean yeah, it really is, like you said, it's ... Of course, yeah, vulnerability disclosure is something that other industries have been doing for some time. And another example was that the defense digital service after you graduate high school, working on the Hack the Pentagon Program. We've done a couple of different events around DEF CON. When I was there, we did Hack the Marine Corps, which was an event where we had 100 hackers and many Marines in the same room, finding vulnerabilities on Marine systems.

Jack Cable:

That was 2018 at DEF CON. And since then, DDS, Defense Digital Service, has organized other challenges there as well. This year, for instance was, I think, very big and widely attended was the Hack that Sat, so Hack the Satellite event, which was hosted with the Air Force, where they actually allowed ... Set up a capture the flag competition to hack an actual satellite in there, which is something I think that only the Air Force can do. So some pretty cool events there. So I definitely think this is something that lots of industries are coming around to. And yeah, if the military can do it, if the Air Force can do it, anyone can.

Jen Ellis:

Please note that was a plug for the Aerospace Village that did not originate with me, nor was it prompted by me. It was completely organic from Jack. I just want to put that out there.

Tod Beardsley:

Only somewhat involved.

Jack Cable:

I am not paid to promote the Aerospace Village.

Jen Ellis:

And also a hat tip to a couple of Rapid7ers who I think participated in Hack the Sat and had an amazing time with that. It sounded like it was a fascinating thing to be part of. And again, I'm not showing my bias here towards the village. So, yeah, that's very cool. I think it'll be interesting to see where this goes. I think that there's been an enormous amount of growth in a relatively short period of time on the topic of election security, just in terms of how much focus it's got. There's still a huge challenge in that it's a machine that's hard to change quickly, but the degree of focus and I think importantly, the ability to keep that focus on in following years when there isn't a presidential election looming, will be very important, because it can't be something that gets talked about every four years.

Tod Beardsley:

Every four years, like 90 days before the election. And that brings me to actually another question. It's a very leading question, Jack. When this hits the internet, I think it will be under 30 days until the presidential election. Let's say I'm real amped up after listening to this podcast and I find a bug in an election system, or a voting machine or something, what should I do with it? Should I post it on Twitter?

Jack Cable:

So I'd say probably not. Might be controversial, but a month before the election maybe that's not the best move. But yeah, really I think that, yeah. Let's say this scenario, you do find a vulnerability in an election system. I think most people would say disclose it to the vendor. Give them at least 90 days before talking publicly about it, or at least until after the election. I think a lot of that at least is how election security impacts the public confidence. And of course, very, very soon after the election, I think anything that gets out there can really discourage people from participating in an election and believing the election results, especially if it's misrepresented.

Jack Cable:

So I think that as security professionals, I think we really do have a responsibility, not just now of course, right before an election, but all the time to think carefully about how we represent this to the public. Because of course, when there are vulnerabilities, we need to talk about them and we need to of course get them fixed. And it's important to have this form of public scrutiny so that vendors or manufacturers of these election systems can be held accountable. And so they can build hopefully more secure systems in the future.

Jack Cable:

But at the same time, it isn't helpful if the message we're sending out is, "Your election isn't secure and you shouldn't have confidence in the result," which I think we, for instance, saw and even is continuing some beliefs that the actual vote counts can be manipulated, even though the government has come out and said, "No, that would be one, very difficult to do. Two, we didn't see anything like that in 2016." What adversaries are trying to do instead of changing vote counts is to change people's opinions to lower their confidence in the election which-

Tod Beardsley:

If they change votes, they change voters right?

Jack Cable:

Exactly. So I think, like when we're thinking about how to represent the risk of election security, it needs to be in that frame that the most important safeguard against say these adversaries, is to keep confident in the election process on. So what that means 30 days before an election and as the election is going on is one, to of course vote. Encourage other people to vote. Participate in the process, if you're healthy to do so, say by serving as a poll worker, helping those who are perhaps less ... Or rather more likely to be affected by the virus, because we know, for instance, the majority of poll workers are in that older age range, are more vulnerable. So helping your fellow Americans there.

Jack Cable:

But really there is also responsibility to say when election night comes, there's a potential event, it's going to be a little rocky. That might be in a pretty large understatement. This is of course an incredibly polarized time, and who knows what's going to happen. But I think when election night comes around, it's important to keep confident in the underlying system, because for instance, every single election official I've talked to is incredibly committed to doing their job, which is ensuring the integrity of the elections. There's a very rigorous process behind it; auditing, making sure that the tallies are correct on that.

Jack Cable:

So I think that really what we need to be, be communicating as security professionals, is that like, yes, what we see election night, there might be for instance, false information spreading around. But none of that means that we should lose confidence in the process that runs our election. Because the moment we do, then the election loses its ability to actually do what it's supposed to.

Jen Ellis:

Yeah, we play into the hands of those who want to undermine democracy.

Jack Cable:

Yes.

Tod Beardsley:

Cool. So if you find a bug, don't post it on Twitter, just tell it to Jack and he'll deal with it for you. I would hate to find a bug and know that it's there and then later on learn that I got exploited. That's always the fear. Disclosure is important, like full public disclosure. Probably definitely don't don't go down that route.

Jack Cable:

Yep. Yep. So yeah, if you do find something, you can first of course try reporting it to, if the voting does have a vulnerability disclosure policy. So there is a number of different ones, like I say, E&S, Dominion, Hart, Unisyn all run vulnerability disclosure policies. So you can find that on their websites, but if you're unable to establish contact, if they don't have a vulnerability disclosure policy. Or for any other reason, you can also always report it to CISA, who coordinates vulnerability disclosure for bunch of different industries. So that's an option too if you're not able to make any headway.

Jen Ellis:

And you can do both, right? You can say, "Hey, I'm going to disclose it to the vendor, but just as a safety net, I'm also going to disclose it to CISA." I think that's a totally reasonable thing to do, and certainly much more reasonable than being like, "Hey Twitter, guess what I found?" And I would also say, as critical as election security is, and as critical to get this right in this sphere, this also applies much more broadly. Like in general, if you find anything, Twitter is rarely the appropriate first step for disclosure, unless, you know for sure there is exploitation in the wild and the vendor isn't going to do anything about it. There are better options for you than taking to Twitter.

Tod Beardsley:

Yeah, it's like when pandemic time happened, it's like everyone forgot about coordinate vulnerability disclosure all of a sudden. And we had this crazy high uptick in just straight to Twitter, or straight to public, straight to medium was ...

Jen Ellis:

Particularly if it related to Zoom.

Tod Beardsley:

So I would love to re-establish that norm of maybe do it a little bit quietly, and you'll get a better story in the end too, by the way. That's something that a lot of researchers seem to forget about is, yeah you'll get attention when you drop your 0days in the public, but you'll have better stories if you at least try to coordinate first. And you know what, that'll get you speaking slots.

Jack Cable:

Yeah, I'd say it's just courtesy. Really the same as maybe wearing a mask. You're doing this to just give them the heads up it's allowed them to fix it, makes everyone safer. Then you can talk about it later.

Jen Ellis:

Awesome. I think it's a good note to wrap on as a nice positive, like, "Hey, do the right thing," kind of a note. And thank you Jack for coming on and talking to us all about this. I hope that Stanford is giving you credits for this work, because I don't know the ways that you're fitting it all in. Obviously you're a more productive student than I was.

Jack Cable:

So I'm actually taking this quarter off to keep working at CISA.

Jen Ellis:

Ah, that is very sensible. I like this. Okay, very pragmatic. Well, good luck with it. And as I say, thank you for your efforts on all of this. I think that in the discussion around election security, we get so focused on a little bit of politics, a little bit of technical talk, that sometimes we forget that what's at stake here is democracy. And it is really important to have people defending democracy. So I super appreciate that people like you are doing that. Thank you. And also Mr. Beardsley who's a big defender of democracy.

Tod Beardsley:

Thank you very much. And I do very much appreciate the message of maybe instead of disclosing your super cool 0day, you will do more good by volunteering as a poll worker, getting people registered to vote, helping people vote, voting, all of those things. All of those boring non-technical things.

Jen Ellis:

Awesome. Jack, thank you so much and good luck with everything. We appreciate it.

Jack Cable:

Great. Thank you.

Jen Ellis:

So Tod what's happening in the world of the cybers this week?

Tod Beardsley:

Well, here's the thing, I wanted to talk about this story, it popped up and it seemed relevant, about the FBI warning of disinformation campaigns about hacked voter systems, because we're talking about election systems. And it's all this stuff about how mainly the FBI saying, and CISA too, FBI and CISA are saying that, oh, look out, there are groups out there that are claiming to have hacked voter systems, but they didn't, really.

Tod Beardsley:

Which really kind of goes to the heart of the things that we've been saying for two or three years here, of its all about... you don't even have to actually own the voting system, you just have to make people think you own the voting system. And it's all the stories about overseas hackers saying, oh, we have our voter databases and it turns out voter information is publicly available in almost every state with sometimes, very occasionally you have to go to a place to get it but a lot of times you can just like order it and download it but, I know in Texas, for example, it's an FTP site and you just download it, and then you just pinky-swear that you're not going to use it for marketing, but you're using it for a local thing. And that was what I was going to talk about.

Jen Ellis:

But then...

Tod Beardsley:

But then I saw a headline from Collider, which is a movie news website about, "A return to 'Hackers' is being actively considered," says director.

Jen Ellis:

I'm sorry, the film, "Hackers?"

Tod Beardsley:

The film, "Hackers," which is far more important.

Jen Ellis:

25 years on, and we get a reboot.

Tod Beardsley:

Yes.

Jen Ellis:

I mean, look, they just did it for "Bill and Ted," which I'm very much looking forward to seeing at some point.

Tod Beardsley:

That was exactly what I was thinking. It was great. It's the second best "Bill and Ted" movie, in my opinion.

Jen Ellis:

Which do you think is the best? We could fall out over this. This could break our relationship.

Tod Beardsley:

"Bill and Ted's Excellent Adventure" is the best. The first one.

Jen Ellis:

You don't like "Bogus Journey?"

Tod Beardsley:

It's fine. It's fine.

Jen Ellis:

Dude, they totally meld in death. How can you not? They have evil robot us-es. I don't understand how you cannot think this is amazing. All right, so anyway, I digress. So, way to ruin all my dreams. So Bill and Ted was fine, now they're looking at doing a new one of "Hackers." And would it be Jonny Lee Miller and Angelina Jolie?

Tod Beardsley:

See, here is the thing, I saw this story and I immediately fantasy-cast the story, basically. And I want a story where Acid Burn is a CEO, a tech CEO. They're all the hackers, but they have now grownup jobs.

Tod Beardsley:

Lord Nikon is the CTO of that same company. Cereal Killer is the CISO. So, he has basically, just has to complain about people not doing the right thing all the time. And Phantom Phreak is the CMO.

Jen Ellis:

I feel like Cereal Killer has become a security evangelist.

Tod Beardsley:

Sure.

Jen Ellis:

That's just Cereal Killer because he's very charismatic and outgoing, in his personality. I think he's become a security evangelist. And I think he's quoted in the New York Times every other day.

Tod Beardsley:

Well, I watched the 25th anniversary of "Hackers," with Matthew Lillard, just doing kind of live commentary along the way. It was pretty good. He's into this movie and he made the comment of, "Yeah, I'm not doing 20th and 25th anniversary special screenings of any other of my movies. This is the one."

Jen Ellis:

I love that. It's very cute.

Tod Beardsley:

And then Crash Override, of course is just a barista. He got out of the business cause he's not very good at it. And Joey became a Bitcoin millionaire. That's my casting.

Jen Ellis:

Let me think about this. I mean, Joey as a Bitcoin millionaire is kind of interesting

Tod Beardsley:

Bought Bitcoin when no one else was paying attention and they all called him stupid and now he's hanging out in the Caymans all the time.

Jen Ellis:

Oh my god, is Joey Satoshi? Is that what you're telling me?

Tod Beardsley:

Sure. Maybe he tells people he's Satoshi. And see, that could be the plot, right? Like I see Joey as, he's the Bitcoin millionaire and he's doing evil and he's the bad guy that they have to try go after him.

Jen Ellis:

I love this. I'm fully on board for this. How do we do a Kickstarter to get this funded? We can make it happen.

Tod Beardsley:

Well Iain Softley has said that they're talking to for real producers, he hasn't said much in the way of details or anything, but it is being quote, "actively considered" now.

Jen Ellis:

Do we need to launch a social media campaign to support this? #HackersForHackers?

Tod Beardsley:

Yes. Yes, we do.

Jen Ellis:

I mean the hashtag writes itself.

Tod Beardsley:

Yeah. So yeah, so that I think is the most-

Jen Ellis:

Right. Never mind the FBI, and their pesky, disinformation campaigns for elections.

Tod Beardsley:

Yeah. Hackers, elections, whatever.

Jen Ellis:

Let’s focus on the important issues.

Tod Beardsley:

We've got to get this movie going.

Jen Ellis:

I think it's terrible that I sort of support this prioritization.

Tod Beardsley:

It's a downer. It's hard to think about the election and not be sad. Here we are. But seriously, I guess, there are things, as we said in the interview with Jack, there are things that you can do, if you're listening to this podcast and you actually do want to help secure the election and make sure the election goes off, right. The best thing you can do is organize your friends and family to vote.

Tod Beardsley:

If you're healthy and able, please work the polling place, in in your local area, I'm positive your local county or township or whoever runs one of the 9,000, not a joke, election sites in the U.S., needs your help. So if you're able to do that, please do that. And in the meantime, think about what you would want a reboot of the "Hackers" franchise to look like 25 years on.

Jen Ellis:

I feel like I sense a blog series coming here. Ooh, you know what we should do? This is totally what we should do. We should try and get them on the podcast. I mean, obviously they'll want to come on our teeny-tiny podcast, who wouldn't?

Tod Beardsley:

I mean, I'll call Angie and I'll see what she's up to.

Jen Ellis:

I feel like she's actually the tech billionaire.

Tod Beardsley:

Yeah. Well that's why she's CEO in my fantasy movie.

Jen Ellis:

She definitely seemed like she had the drive.

Tod Beardsley:

And she's like on her third company now, and this is the good one, this is the one that takes off.

Jen Ellis:

Do you want to contact them and say that you have a script available?

Tod Beardsley:

I am more than willing to sell it for $70,000. That's it. That's all I need.

Jen Ellis:

I mean, I feel like you have to spent some time thinking about how much you would ask for, that was just ready to go.

Tod Beardsley:

70,000 is fine. I just want to see the thing happen. It's basically charity work.

Jen Ellis:

Yeah. I think I definitely see a social media campaign on this in our future. So thank you to our amazing special guest, Jack Cable, who is doing amazing work and doing a lot to advance election security, as are you Mr. Beardsley, so thank you to you, too.

Tod Beardsley:

Jack does so much more than I do, that's for sure.

Jen Ellis:

He does a lot. It's very impressive. It is very, very impressive. Thank you to the people who are considering rebooting "Hackers." Don't mess it up and as ever, thank you to our amazing producer, Bri.

Jen Ellis:

Thanks, Bri. Check out the next episode.